Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Finding Events that have "Never Been Seen" Before

A useful event to know about on any network is when something new happens on a given server for the first time. This is a very simple concept and extremely useful.

Regardless if your event logs are from UNIX systems, router access control violations, wireless access DHCP logs, intrusion detection systems or so on, after a certain period of time, the same events tend to repeat themselves. This is because most of our networks run controlled and automated processes.

With this in mind, finding out when something "new" occurs could indicate a security or administration problem.

The nbs.tasl Script

Tenable's research team has written a TASL script which implements this concept for the Log Correlation Engine. The script, nbs.tasl, stands for "never before seen". By default, the script subscribes to all possible event IDs except for network connection events from the Tenable Network Monitor (TNM) and the Tenable Netflow Monitor (TFM).

The script checks to make sure each event has either a source IP or destination IP in the "Customer Ranges.asset" file which the LCE obtains automatically from the Security Center. If an organization had a different asset list they would like watched, one could be substituted easily by modifying the script.

Detecting Intrusions

Tagging "new" events originating on, from or too a specific IP is very useful, especially for intrusion detection events.

For example, the nbs.tasl can differentiate between when a Snort event is generated for the first time from a server as compared to just alert when a system is attacked for the first time.

Consider a network that is being attacked very often. The Log Correlation Engine will likely record normalized IDS events inbound to monitored hosts. Very seldom (if at all) will an IDS event be sent from a target because we hope that our systems aren't attacking anyone. The first time these events occur though, the nbs.tasl script will alert on this "new" type of event.

Example Logs

Below is a screen shot of a set of logs generated by the nbs.tasl script:

Nbs_1

Issues and Complimentary Technology

The first time you run the nbs.tasl script, all events will be new. By default, it will wait one day to learn which events are "normal". After that, any event that hasn't  occurred in the past day will be recognized as something "new" for the first time. This will create a spike of events that get generated.

Tenable considered placing a longer "learning mode" into the script, but being able to graph how often a "new" event occurs initially, where they come from and how long it takes for these events to "quiet down", can actually generate useful information.

For dealing with intrusions, keep in mind that the nbs.tasl also won't alert on the same event twice, even if it is a very critical alert. This is on purpose. If a server is compromised one day for the first time, and then compromised the second day with the same exact technique, the nbs.tasl will stay silent.

We've also designed the nbs.tasl script to not consider network events from the TNM and TFM. Those logs are verbose and copious and don't add a lot of value. Similar logs for monitoring and detecting network change (as in detecting new hosts, new ports, .etc) are already generated by the Passive Vulnerability Scanner.

And lastly, the LCE's stats daemon is designed to look for changes in the frequency of events and connections. If the data from the nbs.tasl script seems interesting to detect events that have not occurred before, then alerts from the statistics daemon identify changes that also have not occurred in the past.

Setting it UP

Please download all of these files to your /usr/thunder/daemons/plugins directory using wget or some other web client:

Keep in ming that if you have an existing file (such as the PRM_Mappings.prm library) wget by default won't overwrite the existing file but will save it with a numerical extension such as PRM_Mappings.prm.1.

By default, the nbs.tasl considers events to or from the Security Center "Customer Ranges" asset group. If a different asset group is available or desirable, it should be entered into the script.

By default, the script also has a variable named LEARNING_PERIOD. This variable is set to the number of seconds in one day. When the script first runs, it will consider all events "new" but won't alert on them until the period of time specified in LEARNING_PERIOD has occurred. If you want to start alerting right away, set this variable to zero.

Once these files are installed, restart your thunderd daemon.

For More Information

If event analysis seems interesting to you, all Tenable TASL scripts are available online. They are easily extended and work with the Log Correlation Engine. Tenable also has two free webinars available and several white papers which consider log analysis and event correlation located here:

Please contact Tenable's sales or support groups for more information on these scripts.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training